Refactor Docker Scout integration in CVE scan workflow

Simplified the Docker Scout configuration logic by removing unnecessary checks and utilizing Docker's standard auth configuration. Updated environment variable usage and volume mounts to streamline the setup process for scanning containers.
2026-02-14 19:32:50 +01:00
parent 5a7f32541f
commit af6ea11079
1 changed files with 12 additions and 22 deletions
--- a/.github/workflows/container-cve-scan-development.yml
+++ b/.github/workflows/container-cve-scan-development.yml
@@ -24,20 +24,12 @@ jobs:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

-      - name: Docker Scout login bootstrap
-        continue-on-error: true
+      - name: Prepare Docker auth config for Scout container
+        if: ${{ secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }}
        run: |
-          if [ -z "${{ secrets.DOCKERHUB_USERNAME }}" ] || [ -z "${{ secrets.DOCKERHUB_TOKEN }}" ]; then
-            echo "Docker Scout login skipped: DOCKERHUB_USERNAME/DOCKERHUB_TOKEN not set."
-            exit 0
-          fi
          mkdir -p "$RUNNER_TEMP/scout-docker-config"
-          printf '%s' "${{ secrets.DOCKERHUB_TOKEN }}" | docker run --rm -i \
-            -e DOCKER_CONFIG=/home/scout/.docker \
-            -v "$RUNNER_TEMP/scout-docker-config:/home/scout/.docker" \
-            docker/scout-cli:latest login \
-              --username "${{ secrets.DOCKERHUB_USERNAME }}" \
-              --password-stdin || true
+          cp "$HOME/.docker/config.json" "$RUNNER_TEMP/scout-docker-config/config.json"
+          chmod 600 "$RUNNER_TEMP/scout-docker-config/config.json"

      - name: Build backend image (local)
        uses: docker/build-push-action@v6
@@ -114,13 +106,12 @@ jobs:
            echo "Docker Hub Scout scan skipped: DOCKERHUB_USERNAME/DOCKERHUB_TOKEN not set." > scout-backend.txt
            exit 0
          fi
-          if [ ! -f "$HOME/.docker/config.json" ]; then
-            echo "Runner Docker config not found; continuing with Scout login cache if present." > scout-backend.txt
-          fi
          docker run --rm \
            -v /var/run/docker.sock:/var/run/docker.sock \
-            -v "$RUNNER_TEMP/scout-docker-config:/home/scout/.docker" \
-            -e DOCKER_CONFIG=/home/scout/.docker \
+            -v "$RUNNER_TEMP/scout-docker-config:/root/.docker:ro" \
+            -e DOCKER_CONFIG=/root/.docker \
+            -e DOCKER_SCOUT_HUB_USER="${{ secrets.DOCKERHUB_USERNAME }}" \
+            -e DOCKER_SCOUT_HUB_PASSWORD="${{ secrets.DOCKERHUB_TOKEN }}" \
            docker/scout-cli:latest cves nexapg-backend:dev-scan \
            --only-severity critical,high,medium,low > scout-backend.txt 2>&1 || {
              echo "" >> scout-backend.txt
@@ -134,13 +125,12 @@ jobs:
            echo "Docker Hub Scout scan skipped: DOCKERHUB_USERNAME/DOCKERHUB_TOKEN not set." > scout-frontend.txt
            exit 0
          fi
-          if [ ! -f "$HOME/.docker/config.json" ]; then
-            echo "Runner Docker config not found; continuing with Scout login cache if present." > scout-frontend.txt
-          fi
          docker run --rm \
            -v /var/run/docker.sock:/var/run/docker.sock \
-            -v "$RUNNER_TEMP/scout-docker-config:/home/scout/.docker" \
-            -e DOCKER_CONFIG=/home/scout/.docker \
+            -v "$RUNNER_TEMP/scout-docker-config:/root/.docker:ro" \
+            -e DOCKER_CONFIG=/root/.docker \
+            -e DOCKER_SCOUT_HUB_USER="${{ secrets.DOCKERHUB_USERNAME }}" \
+            -e DOCKER_SCOUT_HUB_PASSWORD="${{ secrets.DOCKERHUB_TOKEN }}" \
            docker/scout-cli:latest cves nexapg-frontend:dev-scan \
            --only-severity critical,high,medium,low > scout-frontend.txt 2>&1 || {
              echo "" >> scout-frontend.txt